Richard Bejtlich's blog on digital security, strategic thought, and military history.

Thursday, April 28, 2005

Internal Revenue Service Hassling You? Cite Security Issues

I filed my taxes a few weeks ago. Now I read in Techweb and Reuters that the Internal Revenue Service's security is horrible. According to Andy Sullivan of Reuters:

"Security flaws in computer systems used by the Internal Revenue Service expose millions of taxpayers to potential identity theft or illegal police snooping, according to a congressional report released today.

The IRS also is unlikely to know if outsiders are browsing through citizens' tax returns because it doesn't effectively police its computer systems for unauthorized use, the Government Accountability Office found."

Greg Keizer writes even more disturbing findings:

"The GAO, for instance, found that nearly 7,500 mainframe users, which included IRS employees, independent contractors, and non-IRS government employees, all have the ability to access and even change 'sensitive taxpayer' data.

Lack of other security controls and wide-open access privileges mean that the IRS might not even know if an identity breach has occurred, said the GAO."

It sounds like the IRS cannot account for the integrity of its data. If that is the case, they cannot be sure if the information entered by an e-Filer is what the taxpayer actually entered. They cannot be sure of anything unless they have a paper record or duplicate, separate electronic record protected by alternate means. I guess it was a good idea for me to submit paper records to the IRS -- as long as they are available for review.